Đang tải... (xem toàn văn)
David Litchfield has devoted years to relentlessly searching out the flaws in the Oracle database system and creating defenses against them. Now he offers you his complete arsenal to assess and defend your own Oracle systems. This indepth guide explores every technique and tool used by black hat hackers to invade and compromise Oracle and then it shows you how to find the weak spots and defend them. Without that knowledge, you have little chance of keeping your databases truly secure.
1 Nguyễn Thành An Contents Copyright Dedication .7 About the Author .7 Credits Acknowledgments Introduction .9 Code Samples from the Book .13 Oracle and Security 13 The "Unbreakable" Marketing Campaign 14 Independent Security Assessments 15 The Future 15 Chapter Overview of the Oracle RDBMS 16 1.1 Architecture 16 1.2 Processes .17 1.3 The File System 30 1.4 The Network .31 1.5 Oracle Patching 35 1.6 Wrapping Up 37 Chapter The Oracle Network Architecture 37 2.1 The TNS Protocol 38 2.2 Getting the Oracle Version 44 2.3 Wrapping Up 52 Chapter Attacking the TNS Listener and Dispatchers 70 3.1 Attacking the TNS Listener 70 3.2 The Aurora GIOP Server 72 3.3 The XML Database 84 3.4 Wrapping Up 94 Chapter Attacking the Authentication Process 94 4.1 How Authentication Works 95 4.2 Attacks Against the Crypto Aspects 106 4.3 Default Usernames and Passwords 114 4.4 Account Enumeration and Brute Force 120 Nguyễn Thành An 4.5 Wrapping Up 122 Chapter Oracle and PL/SQL 122 5.1 What Is PL/SQL? 123 5.2 PL/SQL Execution Privileges 123 5.3 Wrapped PL/SQL .130 5.4 PL/SQL Injection 135 5.5 Investigating Flaws 149 5.6 Direct SQL Execution Flaws 154 5.7 PL/SQL Race Conditions .155 5.8 Auditing PL/SQL Code 159 5.9 The DBMS_ASSERT Package .161 5.10 Some Real-World Examples 162 5.11 Wrapping Up 176 Chapter Triggers .176 6.1 Trigger Happy: Exploiting Triggers for Fun and Profit 176 6.2 Examples of Exploiting Triggers 180 6.3 Wrapping Up 188 Chapter Indirect Privilege Escalation 188 7.1 A Hop, a Step, and a Jump: Getting DBA Privileges Indirectly 188 7.2 Wrapping Up 200 Chapter Defeating Virtual Private Databases 201 8.1 Tricking Oracle into Dropping a Policy .201 8.2 Defeating VPDs with Raw File Access 211 8.3 General Privileges 215 8.4 Wrapping Up 216 Chapter Attacking Oracle PL/SQL Web Applications 216 9.1 Oracle PL/SQL Gateway Architecture 216 9.2 Recognizing the Oracle PL/SQL Gateway .217 9.3 Verifying the Existence of the Oracle PL/SQL Gateway 221 9.4 Attacking the PL/SQL Gateway 228 9.5 Wrapping Up 242 Chapter 10 Running Operating System Commands 242 10.1 Running OS Commands through PL/SQL .242 Nguyễn Thành An 10.2 Running OS Commands through Java 244 10.3 Running OS Commands Using DBMS_SCHEDULER 245 10.4 Running OS Commands Directly with the Job Scheduler .247 10.5 Running OS Commands Using ALTER SYSTEM 251 10.6 Wrapping Up 252 Chapter 11 Accessing the File System .252 11.1 Accessing the File System Using the UTL_FILE Package 252 11.2 Accessing the File System Using Java 255 11.3 Accessing Binary Files 257 11.4 Exploring Operating System Environment Variables .263 11.5 Wrapping Up 265 Chapter 12 Accessing the Network .265 12.1 Data Exfiltration 266 12.2 Encrypting Data Prior to Exfiltrating .271 12.3 Attacking Other Systems on the Network 272 12.4 Java and the Network 275 12.5 Database Links .278 12.6 Wrapping Up 278 Appendix A Default Usernames and Passwords 278 Copyright The Oracle® Hacker's Handbook: Hacking and Defending Oracle Published by Wiley Publishing, Inc 10475 Crosspoint Boulevard Nguyễn Thành An Indianapolis, IN 46256 www.wiley.com Copyright © 2007 by David Litchfield Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN-13: 978-0-470-08022-1 ISBN-10: 0-470-08022-1 Manufactured in the United States of America 10 1MA/QT/QR/QX/IN No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 6468600 Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at www.wiley.com/go/permissions Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose No warranty may be created or extended by sales or promotional materials The advice and strategies contained herein may not be suitable for every situation This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services If professional assistance is required, the services of a competent professional person should be sought Neither the publisher nor the author shall be liable for damages arising here-from The fact that an organization Nguyễn Thành An or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S at (800) 762-2974, outside the U.S at (317) 572-3993 or fax (317) 5724002 Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books Library of Congress Cataloging-in-Publication Data: Litchfield, David, 1975-The Oracle hacker's handbook : hacking and defending Oracle / David Litchfield p cm Includes index ISBN-13: 978-0-470-08022-1 (paper/website) ISBN-10: 0-470-08022-1 (paper/website) Oracle (Computer file) Database security I Title QA76.9.D314.L58 2007 005.8–dc22 2006036733 Trademarks: Wiley, the Wiley logo, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affiliates, in the United States and other countries, and may not be used without written permission Oracle is a registered trademark of Oracle Corporation All other trademarks are the property of their respective owners Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book Nguyễn Thành An Dedication With love, for Sophie and our two "girls," Susie and Katie Adopt a greyhound! About the Author David Litchfield is the founder and Chief Research Scientist of NGSSoftware Ltd., a U.K.-based security solutions provider David is known as the world's premier expert on Oracle database security, having gained that reputation when he uncovered a security hole in Oracle Database Servers, which disproved Oracle's multimillion dollar "unbreakable" marketing campaign He has lectured at both the National Security Agency in the U.S and G.C.H.Q in the U.K on emerging threats and information assurance He is a regular speaker at Blackhat Security Briefings and Microsoft Bluehat and Microsoft TechEd Previously, he was Director of Security Architecture at @stake, since acquired by Symantec David has designed NGSSQuirreL, a powerful tool for advanced database vulnerability and risk assessment Credits Executive Editor Carol Long Development Editor Kenyon Brown Production Editor William A Barton Copy Editor Luann Rouff Editorial Manager Mary Beth Wakefield Nguyễn Thành An Production Manager Tim Tate Vice President & Executive Group Publisher Richard Swadley Vice President and Publisher Joseph B Wikert Project Coordinator Jennifer Theriot Graphics and Production Specialists Carrie A Foster Brooke Graczyk Denny Hager Stephanie D Jumper Alicia B South Quality Control Technician Jessica Kramer Proofreading and Indexing Linda Quigley Techbooks Anniversary Logo Design Nguyễn Thành An Richard Pacifico Acknowledgments Firstly, I'd like to extend my gratitude to my wife, Sophie, for her understanding and putting up with my odd sleeping times I'd also like to thank the team at Wiley, with special thanks going to both Carol Long and Kenyon Brown for putting up with the long periods of "blackouts" followed by an avalanche of material Introduction It's terribly important that Oracle get security right, and so far their record has been poor The Oracle RDBMS has had more critical security vulnerabilities than any other database server product By critical, I mean those flaws that can be exploited by a remote attacker with no user ID and password and which gives them full control over the database server To put these critical security vulnerabilities in context, IBM's DB2 has had 1; Informix has had 2; and Microsoft's SQL Server has had Oracle has had That's more than the other database servers put together In terms of flaws that require a user ID and password but yield full control when exploited, again Oracle outstrips the rest by far These facts stand in stark contrast to Oracle's marketing campaigns claiming that their product is "unbreakable." When Oracle executives say, "We have the security problem solved That's what we're good at ," it makes you wonder what they're talking about So far the problem is not solved, and complacency should have no home in an organization that develops software that is installed in most governments' networks This is why it is absolutely critical for Oracle to get it right— national security is at stake Oracle's idea of what security means is formed largely on the U.S Department of Defense's assurance standards This is why Oracle can state that they "get security." This may have worked 15 years ago, but the security landscape has entirely changed since then Let me explain further The Oracle RDBMS was evaluated under the Common Criteria to EAL4— assurance level 4—which is no mean feat However, the first few versions of Oracle that gained EAL4 had a buffer overflow vulnerability in the authentication mechanism By passing a long username to the server, a stack-based buffer is overflowed, overwriting program control information, and allowing an attacker to take complete control How on earth did this get through and how was it missed? The answer is that there is a vast divide between what "standards" security means and what real security means There is, of course, an important place for standards, but they are not the be Nguyễn Thành An all and end all, and Oracle would well to learn this lesson Standards imply rules but hackers don't play by the rules Perhaps Oracle is beginning to understand, though By all accounts they have shaken up and improved their coding standards, and have invested in numerous tools to help them develop more secure code; and there is evidence to suggest that things are getting better on the security front Oracle 10g Release is a dramatic improvement over 10g Release Security holes are still being discovered in 10g Release 2, but nowhere near the numbers that have been found with 10g Release Oracle has also improved their security patch release mechanism Every quarter, Oracle releases a Critical Patch Update (CPU), and up until July 2006 every CPU was reissued multiple times because of failings and missing fixes and other problems The July 2006 CPU was different; it was released once—hopefully the start of a trend Considering that things are improving, where exactly is Oracle on this journey to "security" utopia—by which I mean a secure product that actually matches the marketing speak? In answering this question, for any vendor, a key pointer is to look at how they respond to security researchers In the summer of 2006 at the Blackhat Security Briefing, I was on a panel that discussed the issues surrounding the disclosure of security flaws The panel moderator, Paul Proctor from Gartner, insightfully suggested that "Microsoft is in the acceptance phase Cisco is slowly moving out of the anger stage and into the acceptance stage Oracle, on the other hand, is just coming out of the denial stage and into the anger stage." This is an accurate assessment in my estimation Like Microsoft a few years ago, when Scott Culp published his "Information Anarchy" paper, Oracle too had their say about security researchers when Mary-Ann Davidson, the Chief Security Officer of Oracle wrote her article "When Security Researchers Become the Problem." The difference between Mary-Ann's article and Scott's paper is that Scott's needed to be said, as it was published at a time when there was information anarchy and not much responsible disclosure going on; it was an attempt at convincing security researchers to work with the vendor This is why Mary-Ann's article a few years later failed to hit home: The security researchers she disparaged were already working with Oracle to try to help improve their product Oracle failed to see that they and security researchers were working toward the same goal—a more secure database server Part of the article discusses security researchers making explicit and implicit threats, such as "Fix it in the next three weeks because I am giving a paper at Black Hat." However, Oracle should understand that a security researcher is under no obligation to inform them that they are going to present a paper; and if they tell them, Oracle should appreciate the heads up Such information is a courtesy Calling this an "implicit threat" is 10 Nguyễn Thành An